This kind of charging of specific foreign military or intelligence personnel for hacking US institutions is somewhat controversial in the US intelligence community [1].
Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.
Another worry is that indicting people might give away information information about your sources and methods.
>Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.
How are non "cyber" crimes handled? Is it normal to charge people for the murders, thefts, and other illegal activities intelligence officers perform?
I'm not going to make a moral judgement here, I'll just say that I'm not a fan of treating "cyber" as some magical realm where there are no norms.
An alleged spy (or confirmed wife of spy) recently ran over and killed a teenager near a US base (where Americans are regularly seen driving on the wrong side of the road) here in the UK and they managed to claim some kind of diplomatic immunity and run away, they can basically get away with anything in the right place.
There is a big difference between diplomatic immunity versus crimes in absentia.
In the former case a physical crime was committed where the suspect and criminal act were both in the geography where the crime is alleged. If not for diplomatic status there would be nothing unique about this case and criminal proceeding would move forward with the suspect in apprehension.
In the later the suspect has no relationship to the geography where the crime was committed. The suspect is not a resident or citizen and was not present or planning to visit the geography in question. Furthermore the suspect was likely acting on orders of a nation-state and so bears limited responsibility. There is no legal recourse to apprehend the suspect.
>There was no diplomatic immunity in this instance.
Well that's just wrong.
There's diplomatic immunity unless the visiting country explicitly waves it. It's not based on some hypothetical legal theory of whether she should have it or not. The visiting country either waves it, or doesn't.
In this case, the police requested a diplomatic waiver and were denied.
in particular, the Vienna Convention on Diplomatic Relations does extend the diplomatic immunity to family members who form part of the diplomat's household.
Additionally, the husband was not on a diplomatic mission, was not a registered diplomat, and does not qualify for diplomatic immunity by the rules of the host country.
The rules only matter with regard to who's allowed entry under what status. They're not subject to review after entering, except for expulsion.
I'm going to assume you're conflating the definitions of diplomat. The Vienna convention only sets a minimum standard. The things you're taking about might matter if it's the US and maybe Libya.
For friendly countries, there are agreements that extend the diplomatic privileges well beyond the core diplomatic party.
And once rules are agreed upon, they only apply to who is let into the country under what status. So entry can be denied, but once allowed in with a diplomatic or official passport, the host country can't change that status. All they can do is expel the person.
If the UK allowed entry under a diplomatic / official passport, that's all that matters.
Regardless, in a "possession is 9/10s if the law" sort of way, the only thing that matters in practice is if the visiting country waives immunity.
I read about this story a while back, very sad. However, she not only had diplomatic immunity, but a foreign government was saying she should be thrown in jail for up to 14 years for an accident. How can you blame her for returning to her own country and claiming that immunity?
The claim of diplomatic immunity was tenuous at best. Her husband was not listed as an official diplomat (the claim was that she had immunity via her husband).
The victim's family recently accused the driver of working for the CIA, and if she was in fact a spy she absolutely doesn't have immunity. That's just an accusation, of course.
If your country backs up your claim for diplomatic immunity, it's pretty much good.
There's no other measure of quality that matters in a practical sense. If the host country wants to dispute that, their recourse is expulsion.
And CIA and other agencies certainly do act under the auspices of diplomatic protection. Barring any movie-like treasonous behavior, why wouldn't they? They're government officials working in an official capacity while abroad.
Besides, being ex-CIA doesn't disqualify spousal immunity. Even if the host country had a problem with that, the recourse is... expulsion.
"she should be thrown in jail for up to 14 years for an accident."
This is such an American-centric view of the world. If you don't want to abide by the moral standards of another country, maybe... uh... don't go there?
On top of that, it is VERY easy to write what JB775 did above if you read about this in the news. If it was his/her child though the sentiment of the comment would be very different.
Laws and courts are there for all. The fact that this lady killed a child, and chose to flee the country, says a lot about her character. All this would have probably been resolved with a generous compensation (by the US gov to the victim's family)(all except bringing the child back). She didn't do anything on purpose until she flipped the finger to UK justice and the victim's family and ran away like the rat she is (let's not forget that she killed a child). US gov on the other hand protects its citizens (even those who kill children and flee justice - great job USA)(she was in the UK, she would have a fair trial). It's a messed up sorry that only has pain, sorrow, and anger.
My sister was killed 5 months ago as a result of injuries from a car accident where someone was negligent. That person is currently in prison. My family had the opportunity to make the penalties much harsher for that person, but we decided against it. It reached a point where we didn't see the point in causing even more pain to an already excruciating situation. Not to mention they need to go about the rest of their life living with what they've caused.
I'm not saying there shouldn't be any compensation or repercussions, but the possibility of 14 years for an accident is absurd. If it wasn't an accident or if she was in fact negligent, that's another story. And what precedent would the US gov be setting by turning over gov employees working abroad (or their families)?
Now that you know I basically have gone through this, maybe you should re-think your sentiment.
That's not the point. If the law in some place says so and so, and you break it (even if involuntarily), you can't say 'oh I disagree with that law so I'm going to flee the country and that's morally ok because in my country we have different ideas about responsibilitiea of car drivers'.
> I'm not going to make a moral judgement here, I'll just say that I'm not a fan of treating "cyber" as some magical realm where there are no norms.
On the contrary, I think we are pulling in too many assumptions into "cyber". Imagine this: if someone had left their door unlocked and someone came in and stole their lawn mower, you could say they deprived the owner of use of their lawn mower. However, imagine if equifax removed [authorize] in an http endpoint like /v2/person/:id allowing anyone to just GET /v2/person/1 .. 999999999 consecutively. Is this a criminal matter? I'd say no. I'd go further and say that this "cyber" fearmongering has gone too far and we should ABOLISH the CFAA. The EFF has still laid their hopes on reform but I for one think it is irredeemable and must be abolished with no replacement.
Just to play devil's advocate: If an armored Brinks truck gets in an accident and cash spills all over, it's not legal to take just because it's no longer protected and on public land.
Intent has to matter a lot in these cases, though.
If a bill blows a mile away and somebody happens to find it with no knowledge of the crash, that's qualitatively different than witnessing the accident and then rushing to grab the money you watched spill out.
Just to be practical: the internet is not a magical place just one where anonymity is so practical that one can not justify a figurative brink truck failing. Moreover, it's absolutely unacceptable for institutions like Equifax to fail given the importance of identity security and the apparent lack of (or unwillingness to consider) alternatives to the social security number such as PKI; PGP for example. If you've ever seen a bitcoin paper wallet with QR codes printed on it you'll know what I'm talking about. I don't care if it's Apache Struts or PHP + mySQL they should have tested to the point of impossibility of intrusion. I think it's also reasonable to assume that the government is full of shit, and the most likely scenario is that these people in China admitted this to the government because they wanted us to know that they did it. If anything they're doing us a favor, but I still think the real solution to the problem is to stop relying so heavily on pseudo-secret identities like the social security number and to at least offer people an alternative means that uses cryptography at least for the people who care about doing things right and taking responsibility for their own security since the government can only make fraudulent guarantees that we're ever going to be safe.
Maybe I'm wrong about this, but I'm pretty damn sure if you use tor the right way they're not ever going to find you unless you give yourself away some other way.
no for sure, stealing is a dick thing to do. But I like to keep my expectations reasonable. Can I reasonably expect to carelessly leave my phone at a table in a place where crime is known to happen when I know better?
I do not see how, given that this is about the equifax events. Is it really different if you copy a "top secret" text file or if you take photographs of your screen displaying it?
Nobody will care if you take a photo of money. Copying the money, as in making a physical copy is a problem.
This is different from information which is inherently not physical, so any copy of representation is a copy. The grey area of course is a lossy copy... redistributed low-res copies of art, etc.
One problem is the metaphor of place. The internet is not composed of tool sheds that contain lawnmowers; it is not composed of places at all. The internet is a network that allows hosts to send packets to other hosts. These packets are, fundamentally, communications. A communication can constitute a fraud or a slander or a copyright violation or certain other communication-oriented crimes or torts, but communication is never theft.
The "place" metaphor was intended to help people who don't have an intuitive understanding of communication networks. Since POTS had existed for many decades, it's not clear that this metaphor was ever necessary. No one ever confused a phone number with a place. Now that most living people have had childhoods during which the internet existed, the metaphor is certainly not necessary now.
If host A on the internet responds to a simple unauthenticated GET from host B with PII, we really shouldn't be blaming host B. The "place" metaphor obscures that fact.
Of course it's a criminal matter! When a bank is negligent and leaves the doors unlocked, they're on the hook for massive civil liability if people's deposit boxes are robbed. The thief is still going to jail if caught, though.
IANAL (I am not a lawyer) - but I think there’s a distinction here in that the lawn mower is going to be on private property, but having urls in the Internet is generally assumed to be public.
According to the DMCA, even if it’s up for public viewing, the mere act of making a copy is theft. For example, if the MPAA posted a full length movie on YouTube for free viewing, and you made a copy, you’ve committed a crime. That’s ignoring the fact that you already do make a copy: your browser cache. It’s perverted, but it’s what the law is.
> How are non "cyber" crimes handled? Is it normal to charge people for the murders, thefts, and other illegal activities intelligence officers perform?
It depends, I'd say mostly on the public outcry. For "extralegal renditions" aka kidnapping by the CIA in Europe, some investigations were happening, some charges were brought, but I haven't heard anything about conclusions.
Cyberspace attacks even against allies have generally been considered part of diplomacy, e.g. the US breaking into Germany's telecommunication systems to spy on Merkel's SMS.
Since this isn't even a state <=> state issue, it's more like the NSA's decades long industrial espionage: business as usual.
It's partly a matter of jurisdiction. Most of the time criminals are in the same location as their alleged crimes. Not so with hacking over the internet. Thats one reason why "cyber" gets special treatment and can be tricky.
And that's ignoring the implications of it possibly being a state actor.
> Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.
Good. If you get caught committing a crime you should be charged with it.
> Another worry is that indicting people might give away information information about your sources and methods.
Also good. US intelligence should not be holding back 0days.
Apparently there no longer is a universally accepted definition of peace time, or military personnel for that matter. See Omar Khadr fiasco for example.
> - they kill other military personnel during peace time
I see that you did some effort choosing the word "peace time" to be able to say "well we are at peace with China, thus this is fine to charge them", but at the end of the day, what is peace time? Does receiving the order to attack a target make it become a war? They got an order to attack the US company, this is not peace.
> I see that you did some effort choosing the word "peace time" to be able to say "well we are at peace with China, thus this is fine to charge them"
Incorrect, actually I did it because I am against events such as the murder of the Irani general. I personally do not think that hacking should be illegal so I do not think that the chinese agents should be charged in this instance.
it's up to the bank to provide a secure service. Also if you get hacked as a business a couple of times your insurance premiums will go up. In the same vein shoddy IoT devices (and I argue anything that is online) should be fair game exactly so that things have a chance to become more secure. BrickerBot (e.g. Janit0r) had the right ideas here ... Even Japan got inspired by Brickerbot and knocked many devices offline last year which have become unservicable and posed too great a liability.
If it were really about providing secure services then we'd be holding companies responsible, and even encouraging hackers to clean up those systems by hacking them. But it isn't about security so instead we're criminalizing hackers and engage in security-theater.
It’s ridiculous how many people here seem to think China is somehow special as far as this sort of hacking goes.
Shadowbrokers leaks even make it easy to identify specific NSA operators, for example Michael A Pecoraro, Nathan S. Heidbreder, Gennadiy Sidelnikov and a Brian C Fong
Going after specific Chinese individuals means throwing these US operators under the bus.
Part of the calculation of taking these types of jobs should be the consideration that there's a strong chance you'll never be able to visit a foreign country ever again.
If we got in a war with China and soldiers fought each other, we wouldn’t try to charge the soldiers with crimes after the war for killing our soldiers, even though murder is generally worse than hacking. (Excepting war crimes, but is hacking a war crime?)
Considering many of these soldiers are probably conscripts and might be killed or imprisoned if they don’t follow orders to hack us, I can see the case for treating them like normal soldiers and not like criminals.
On the other hand I guess charging individuals is a way for the government to ignore that ultimately China’s government is the one responsible for their military’s actions.
Right. I find this announcement rather alarming as a non-US earth-living human.
1. Foreign nationals, working (?criminally) to exfiltrate information from US companies (or servers in the US) can now be subject to US laws directly?
Isn't this the same as what I saw with the Julian Assange case, where he facilitated his actions while in a foreign country?
It seems there's been a new international law that's been set up that draws a line for any international hacking? But the article doesn't read that way... There no international criminal courts mentioned...
If that's the case, should I start recording all the US ips that try to hack into my servers, and take legal steps to have them arrested and extradited to my country? (What a nightmare!)
2. The ability for doxxing of these individuals by the US despite taking significant steps to hide their tracks indicates a certain level of Pwn-ership of the internet as a whole by the US. How could individuals have been revealed? Is ipv6 enough to de anonymise to individuals machines or is the US able to 'packet watch' across the entire internet?
> 1. Foreign nationals, working (?criminally) to exfiltrate information from US companies (or servers in the US) can now be subject to US laws directly?
Of course. We live in the 21st century, it's possible to commit crimes in countries you've never visited from halfway across the world. If such people weren't subject to criminal law where they committed their crimes, IT-support scammers, ransomware crooks, and all kinds of other criminals would act with even more impunity than they already do.
I guess there was some question as to whether government hackers could be treated just as badly as proper spies. If you're a gov't hacker, you should probably assume the worst is waiting for you if you are good at your job and avoid summer Beijing trips.
Didn't even have to open the thread to know that the top comment would be whataboutism. Essentially every China-related thread follows the same formula.
Whataboutism, according to my understanding, would be saying that it's OK for China to hack because the US hacks. That's not what the top comment is about.
The top comment is about some in the US intelligence community saying that the US indicting named foreign hackers for hacking US targets might put US hackers in danger and might leak information about US intelligence capabilities.
what are the alternative? Escalate military tensions with them?
Slap sanctions on whole populations (who actually don’t have a say in this since they live under dictatorship)? Start a war?
Why do anything? It’s well known that US intelligence hacks Chinese (and European!) companies, why escalate with indictments? The Chinese are perfectly capable of namedropping NSA employees too.
>The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke(许可) and Liu Lei (刘磊) were members of the PLA’s 54th Research Institute, a component of the Chinese military.
How were they identified exactly? I'm always fascinated with these DOJ indictments of foreign state actors but I'm always left wondering how they managed to narrow it down to a small group of people. I'm guessing that "PLA’s 54th Research Institute" employs thousands of people so how does the FBI/DOJ identify the culprits so precisely? Is it through CIA/NSA spying and moles inside the PLA?
You don't see foreign governments identifying individual NSA employees when the NSA hacks into something... so how does the DOJ do it?
> How were they identified exactly? I'm always fascinated with these DOJ indictments of foreign state actors but I'm always left wondering how they managed to narrow it down to a small group of people.
My guess is they counter-hacked the PLA’s 54th Research Institute to identify the culprits, then used parallel construction for the indictment.
IIRC, the public intelligence report on the Russian 2016 election influence campaign revealed that the US had counter-hacked some of the Russian groups involved, and used the information gained from that as evidence to attribute the overall campaign to the Russians.
They've just named some names. These people might be associated with that "institute", but they're just as likely to be custodians or secretaries as hackers.
On the "surveillance footage", were they mopping and sweeping? I wonder whether such "footage" constitutes prima facie evidence for an indictment going the opposite direction...
Your reply to that comment was about Russia, so everything from that on down was probably a waste of time. Then again, we're talking about DoJ indictments of foreign soldiers for allegedly accessing data that was open to all, so the whole thing has been a waste of time from the beginning. It's a good thing there isn't any real crime in USA for DoJ to investigate.
> TFA and my first comment ITT are about China. Your reply to that comment was about Russia, so everything from that on down was probably a waste of time.
Can you even follow the thread? The TFA is an American indictment against some Chinese government hackers. There are some unanswered questions about it, which were partially answered by speculation informed by parallels to a similar indictment against Russian government hackers [1] and related reporting [2].
[1] See https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian...: "In 2016, officials in Unit 26165 began spearphishing volunteers and employees of the presidential campaign of Hillary Clinton, including the campaign’s chairman. Through that process, officials in this unit were able to steal the usernames and passwords for numerous individuals and use those credentials to steal email content and hack into other computers. They also were able to hack into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC)..."
Haha ok who's really "trolling" whom? There was an unsubstantiated claim that something had happened in one nation, therefore we can assume it happened in some other nation! Further, we really believe that you really believe those TLA posers were sitting there watching John Podesta tell someone in Russia that his password is "Runner4567", because only Russian hackers would be so clever to phish a genius like John Podesta.
Indictments don't contain evidence. Sometimes they contain rumors of evidence.
>>> Then again, we're talking about DoJ indictments of foreign soldiers for allegedly accessing data that was open to all...
I just noticed that you made a pretty mind-boggling claim there. Is it really your position that Equifax's data was "data that was open to all"?
> There was an unsubstantiated claim that something had happened in one nation, therefore we can assume it happened in some other nation!
No, we can make informed speculation in a discussion. That's quite different than "assuming it [actually] happened."
The main issue here is that you appear to read something, misunderstand or exaggerate it into hyperbole, then respond to your own hyperbole. That's not a good way to have a discussion with anyone.
You are working very hard to support my original statement, you didn't read the indictments very closely (or at all).
If you knew anything about cybercrime attribution, you'd know that indictment was detailed far beyond anything we've ever seen from the DOJ. They took the extraordinary step of giving away hints on collection sources/methods just to make the evidence overwhelming and undeniable.
Which was my point, which instead of addressing you keep trying to obfuscate. Because you are a troll.
I remember your user name, you popped up in another thread about US/China, talked baseless anti-US conspiracies then left. Is there a reason you spend time out of your day to do this?
The "war" you referenced btw, the one we are discussing in this thread, is against the US. Do tell us how the Chinese Military hacking American private companies is somehow the fault of America.
There isn't actually a war. Some Chinese people have been accused of accessing some PII published by Equifax. Even mentioning "war" in these circumstances is a bit twisted. Unlike small nations who can't defend themselves, if we start something with China we'll get our asses kicked. Then your agitation for violent conflict won't seem like such a great idea...
You are guessing that they are guessing, and don't in fact know that. Your opinion has the right to exist, but I'll choose to believe that they identified actual military intelligence officers using methods they're not going to tell us about, to send a strong message to China (whether these specific officers are guilty of these specific offences is immaterial, the outing itself is the message).
I am pretty sure this one is for domestic consumption.
The Chinese are a bogeyman comparable to the Russians. Being tough on them and have the other party being in bed with them is something that is surely useful in a coming election campaign.
As for the ability to trace back traffic sent through 30+ computers placed around the world including China; just think of what surveillance and logging that would entail. It is not really possible.
Other than potentially exposing sources and methods what do they gain exactly? They aren't going to Beijing to arrest them, and only legal indictments aren't(and haven't) going to scare off China.
What if China says “we’re sending you a plane with the four individuals you are after. We insist on their innocence and want to see a fair and public trial”
Then DOJ would have to reveal their sources, wouldn’t they?
What they've done in the past [0], is continually to delay the actual trial. The idea is to force the defendants either to avoid setting foot in the jurisdiction or to spend their entire net worth on defense attorneys.
Or drop charges. This is clearly a what-if that's been taken into account, the implication being that these people either are in fact military intelligence or otherwise very valuable, or don't exist at all.
If Iran made such an accusation against 4 NSA employees, that were actually innocent, do you think that those 4 people would ever be handcuffed, and put on a flight to Iran?
Of course not, that would be idiotic, and horrible for morale. You don't give your own people up, regardless of whether or not they are innocent or guilty.
As such, this is a spherical cow thought experiment. To address it - it's quite likely that the sources would not be revealed in an open trial, due to the catch-all of national security. For a helping of double irony, the sources are likely the product of... Espionage (Digital or otherwise).
Sure, but the US can actually try foreign military officers somewhat fairly. Almost no country in the world can accomplish that, other than perhaps the UK and Canada.
It doesn't matter if the trial is going to be fair or not. Doing this is the worst kind of betrayal that a military can commit against a soldier.
This is also why the US is not even a signatory of the ICC. It, by principle, opposes the sheer notion of Americans facing international trials for war crimes, even in impartial, third party courts. There's no way in hell it would extradite its spies to face trials for computer crimes.
It's arguments for not participating in the ICC are that the trials would be political, and not impartial. That's a stick with two ends.
My first thought was that American spies must have infiltrated the PLA's 54th Research Institute, or infiltrated some branch of the chinese government that was privy to that information at least.
Which is pretty ironic, really. Whoever did the hacking for the US could be charged by China for basically the same thing the DOJ just charged the Chinese hackers for.
Forensics. Attackers use and sometime re-use domains, ips and code to recon, attack and exfil data. Those items may have been used before. All the attributes related to each of those items are cross referenced. You might find a server in this breach was associated with an email address that was used to register a domain in the current breach. That email now loosely ties the two breaches and actors together.
If they made it public, they could never do it again.
You don't see foreign governments identifying individual NSA employees when the NSA hacks into something...
I suspect that it does happen, but most people don't know about it because that requires knowing another language, and then regularly keeping up with the media of another country in that language.
I'm guessing part of the reason they're willing to ID them is because the DOJ knows this will never actually get to court where they'd have to explain how they found them.
Seems likely. I wouldn't be suprised if it was done as a way to get them put on watchlists in all western countries without having to officially reveal any sources or methods.
I am still waiting for Equifax leaders to be charged for their negligence. They failed to keep their software up-to-date [1], while storing sensitive information about millions of US citizens.
>I am still waiting for Equifax leaders to be charged for their negligence.
It's the executives job to keep software up-to-date? Not the engineers building the software or implementing open-source tools? I understand being buck-stops-here accountable for the hack, but how could they be charged for negligence? Was there a conscious decision by the execs to not update the software?
It's be hilarious/sad if the executives got punished for something like not updating software, because you know what the result would be? Companies would set up a system to protect execs and ensure the line-workers would be held accountable for hacks or breaches. That'd make our jobs super fun.
> It's the executives job to keep software up-to-date?
Ultimately, yes. They are in charge, they are accountable.
> because you know what the result would be? Companies would set up a system to protect execs and ensure the line-workers would be held accountable for hacks or breaches.
As if most big companies didn't already have these systems in place.
According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.
Holy shit did not see that coming. Was sure it was some hackers out looking to sell info on dark web. Chinese government gives it a whole different motivation.
The US has essentially on omnipotent traditional military force that can either engage or assure mutual destruction of any opponent on the earth. Nobody can compete successfully. But humans are crafty, and come up with ways to defeat irresistible force.
As we've seen predicted for 20+ years and demonstrated in the public space for 10, our nation's weakest link is that election system and political finance system, particularly for legislators. The checks and balances that are supposed to prevent egregious behavior are broken (see what happened to most US Attorneys since 2016, the impeachment circus, and 100 other things at the state/local level).
Building dossiers on Americans are a great, obvious way to wield this power and to target and enable espionage/influence activity. Recall that the federal agency that keeps records on background checks was breached a couple of years ago. So now you have a hostile nation state that knows everyone, and all of their background data, with security clearances. You can cross-walk that with Equifax information, health insurance breaches (Recall that Blue Cross was also breached), etc and do all sorts of interesting things.
> The US has essentially on omnipotent traditional military force that can either engage or assure mutual destruction of any opponent on the earth. Nobody can compete successfully.
How many times in the past two years have our boats crashed into one another? The F35 program is a complete failure. When we ran Hormuzi wargames, a rag-tag group that fought through guerilla warfare won until our Navy cried and made the other side "fight fair." In the past 80 years the only win we can claim is the Gulf War. This is seriously overstating our military capabilities.
But, a war with China (direct conflict) would be the Naval set-piece battle the US has been dreaming of for decades. Much like how Iraq was the combined arms showcase dreamed of post Cold War. US has struggled at asymmetric combat against regional bad actors, as evidenced nearly everywhere, but your assertion that somehow China would be able to leverage that type of warfighting when their O&G infrastructure and major threat projection airbases are on islands or near shore does not compute. It would be ugly, not straightforward, not "Iraq on water" ... but it would be much different than wargames in geographically tight confines with limited rules of engagement. The US and allies still do hold the Pacific mostly as their own backyard, and that would need to change to tip the balance toward China.
> your assertion that somehow China would be able to leverage that type of warfighting
I'm not saying that, I'm that the entirety of the US military is incompetent and pumped too full of cash (despite its many failures) that's it's ridiculous to act like no one can compete.
> The US and allies
I know we like to take our satellite states for granted, but that day will come to an end and it seems likely that taking real action against China could be the catalyst.
I hear you and I see the consistency of your arguments, and acknowledge development and production failures and large budgets, but disagree it implies incompetence across the board.
I feel that the ally situation is entirely different - they are USA allies solely for protection against China, and in any real conflict against China the interests of China would be mostly limited to ensuring a regional win against those countries, and the USA would have the choice of either taking real action against China by supporting these allies or not take action and abandon them.
To be clear, the war games had US military playing the part of the fictional middle-east enemy. This story was news to me and you made it sound a lot more interesting than it turned out to be
Yes, the US sucks at winning wars. At the same time, I'm not sure what other nation is capable of waging war on the scale of the US. Perhaps the war on a large scale is just an intractable problem that cannot be solved, and the US is the only country that even tries. Not that I think that's a good thing. War in general sucks.
No, if you do a side-by-side comparison, China may do a good job of defending their region, but they would be completely unable to project their power or enter a different theater of war without leaving themselves defenseless. It's no contest at the moment. Besides the fact that due to its unfortunate foreign policy, the US also gets a LOT of practice waging war, where as the modern Chinese military has almost zero real-life war experience.
Neither side would win a War.. there would be no winners, just survivors, with both economies reduced to almost nothing, both population decimated both by direct costs and indirect( poverty, famine, etc) costs
No the idea that either China or America would "win" a war with each other is naive at best
That exercise happened in 2002, after the USS Cole bombing in 2000 ashore with a similar attack. How many warships were sunk by speedboats in the last 18 years?
Re: breaches - just because it wasn't overtly stated: you can better know who is corruptible, more easily corruptible - and corrupt them leading locals to working for your opponents.
> The US has essentially on omnipotent traditional military force that can either engage or assure mutual destruction of any opponent on the earth.
Omnipotent and "assure mutual destruction" are contradictory if you think about it. MAD ( mutually assured destruction ) resulted from a lack of omnipotence. If one was omnipotent, one wouldn't require MAD.
> As we've seen predicted for 20+ years and demonstrated in the public space for 10...
If you have a list of federal employees + a list of people's credit histories you can do things like spot people who have security clearances but no credit history.
Jenna McLaughlin did a great piece on how breaches like this are making it almost impossible for intelligence agents to operate under traditional cover:
I saw several people paying cash to settle their bills at a conference once, and thought it was odd since that hotel makes you at least supply a CC for incidentals (and show ID)
Maybe it was to guard against generating useful metadata that could be later breached? Very interesting.
Yep, it could be used for finding extortion targets. Just find someone with bad credit who also works for some sort of sensitive program, and now you have leverage over them.
I don’t know what you mean by “sensitive program” but anything the federal government considers critical disqualifies people like this (even if their credit goes bad after they’re hired.)
They’re very particular about this; particular meaning polygraphs and agents talking to your family members. I know because I almost took a job like this (and know a number of people who have) but the pay and location were crap.
Are you sure that the standards applied to your background checks were also applied to those of relatives of the President? If the background check system is politicized, then this kind of hacking to discover sensitive information might become even more valuable.
This is oversimplified. Anything ITAR or EAR or commercial proprietary related to tech would be prime to extract but would be worked by million(s) US persons with no further background screen beyond basic employability checks. US Gov secret and above requires lots of checks ... but the breadth of the human attack surface for commercial or ITAR technology combined with the Equifax data would in fact be an ace in the hole.
Don't forget that China dumped the OPM database and can cross correlate individuals in important places with credit issues. Foolishly poking at them is the sort of inept strategic thinking this administration is so good at.
I'm fairly sure this info has made it onto the darkweb regardless. A number of people have reported to me that they have been cold called by "their bank" from a spoofed number, given partial account information/address history/ssn last 4/etc, and asked to verify "security questions", and when they hang up and call the bank of course they aren't involved. It sounds exactly like attackers attempting to social engineer their way past the last bits of information they don't have from credit history reports.
Essentially all the data contained in the Equifax breach has been for sale a long time before this breach, the other breached entities stayed quiet so people unfamiliar with the business tend to just assume that Equifax is to blame for everything.
Makes all the people talking about suing Equifax for subjecting them to identity theft look pretty silly.
I think you and I will be surprised more often going forward.
>"The FBI has about a thousand investigations involving China's attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector," Wray said.
>John Brown, FBI Assistant Director for the Counterintelligence Division, said the bureau has already made 19 arrests this fiscal year alone on charges of Chinese economic espionage.
>In comparison, the FBI made 24 arrests all last fiscal year, and only 15, five years earlier, in 2014.
It would be easy to know who to bribe if you know who works in government, and which one has debt. As part of security clearance check, if you have substantial debt you're not suppose to be able to get a clearance...but I'm sure there are some who get exempt.
How do you know its true? The indictment insists that the defendants are responsible for the hack, and lists the things that they have allegedly done, but offers... Zero evidence for why these particular defendants were responsible.
The evidence for why is sealed unless there's a trial. There's never going to be a trial, because those guys aren't going to show up to their court date.
It's entirely possible that this has been fabricated for political purposes... It's not like the only people who could disprove the lie (the accused) have any interest in disproving it.
Allegedly. Note that it looks much better for the OPM if they can say they got hacked by "cyber warfare units from China" than "sorry, we are bad at OpSec, a few script kiddies got us".
I think criminal charges against specific government hackers will probably become the norm, since no power is likely to stop hacking other powers yet no powers are too keen to start a war over it. If you're a government hacker, I wouldn't plan on taking any overseas vacations for the rest of your life.
Most security breaches are because of incompetence (typically management/oversight, rather than technical).
Equifax didn't have good oversight of which systems were patched and instead relied on a single employee to remember to do it. One got forgotten. People broke in using an old exploit and then leveraged into Equifax's network.
Equifax's first problem was bad patch policy. Its second problem was lack of network isolation/intranet security/onion-ing. As soon as an edge server was compromised the attacker hit the jackpot and had everything.
The last problem was lack of audit/accountable into who/what was accessing sensitive data on the intranet. If they had that they still would have been compromised and lost data, but not every customer's record (which took a long time).
yes people are unreliable that's why we need a more resilient means to establish identity like PKI. Consider PGP for example, they could put QR codes on social security cards for all I care just fix the real problem for once.
Yep, but now they will be able to play victim card and wrap themselves in American flag. The PR value of this is amazing.
Frankly, this really does explain why they were treated with kids gloves after the incident. I was certain after insider trading came to light, the company will fight with US government to stay alive.
The US needs to treat this as an act of war by a foreign military/government, not as a criminal act by people acting in an individual capacity.
If the US can identify the individual hackers, then they should be able to identify the physical location from which the military committed the acts of war and respond with the use of force as permitted by the UN Charter and international laws and norms. By responding with grand jury indictments the US sets a terrible and dangerous precedent and is telling foreign governments the US will not do anything in response to military based acts of cyber warfare.
By that token, Europe should have gone to war with the US for spying on its very leaders — Angela Merkel, François Hollande, etc. (The Snowden revelations and the aftermath).
I honestly don't see how the US could spin anything positively on the world stage in that regard, they are by far the worst offender as far as spying is concerned. It's not even funny to compare. And there is documentation that tech/trade secrets from foreign companies aquired by e.g. CIA or NSA was given to US companies — industrial espionage isn't exactly new or surprising, but when conducted by Federal Agencies above any control, responsibility or accountability to the US public, let alone the UN or the world...
Your suggestion is disingenuous at best and, I'm sorry to say so, terribly blind to the reality of the world, wherein the US is certainly not an all around good guy. Especially these days, it's clearly a hostile power to most others. As seen from the EU, at least, I can't speak for other places/cultures. But I hear it's not that great in general.
We need to get Federal Agencies accountable to the US Tax Payers, and be more transparent I 100% agree with that
I 10000% disagree they should ever have any accountability to the UN or any other international body
I also do not feel bad that they spied on Angela Merkel, I do care that they spied on US Citizens. Spying on Angela Merkel is constitutional and within their remit, Spying on US Citizens is Unconstitutional and not in their Remit
>By that token, Europe should have gone to war with the US for spying on its very leaders
Well not exactly. One was a state sponsored military act of cyber warfare that indiscriminately targeted an entire populace and infrastructure (i.e. a military infringed on the sovereignty of an entire nation state). The other was a targeted intelligence operation.
>Your suggestion is disingenuous at best and, I'm sorry to say so, terribly blind to the reality of the world...
Being from Europe I would assume you would be very familiar with the dangers of failing to act when one military infringes on the sovereignty of another. Though I guess we will see either China will continue hacking and escalate their hacking or they won't...if I were a betting man I would happily take you up on such a bet that China will continue and escalate its military hacking against all nation states.
The grand powers on the world stage are constantly posturing and taking actions to further their own power. The United States is no different. We, civilians don't know the majority of what is taking place.
A "hot" war between two powers would be of such a great cost in human life, you would want to avoid it at all costs. This means indicting with a grand jury instead of starting a war.
>A "hot" war between two powers would be of such a great cost in human life, you would want to avoid it at all costs.
I was very careful to specify "respond with the use of force as permitted by the UN Charter and international laws and norms." In other words the UN Charter only permits a response in proportion to the offense. I do think an act of cyber warfare may legally allow us of "armed force" but it would likely have to be limited to targeting the installations where the attacks were coming from (but realistically it is a new and undeveloped area of law with respect to cyber warfare).
The problem in my opinion with failing to act is we signal that there will be no military response, and these acts of cyber warfare escalate to hacking power grids or other infrastructure than results in indirect lose of life. Then due to political pressure all out war becomes more realistic.
Wasn't this more intelligence gathering?
The appropriate response would be more akin to hacking back into China's social credit scoring company and snooping around.
I believe it raised to a level above spying and intelligence gathering. It was a state sponsored military act of cyber warfare that infringed on the US' territorial sovereignty.
>The appropriate response would be more akin to hacking back into China's social credit scoring company and snooping around.
The purpose of a proportionate response to military acts under the UN Charter and the use of force and armed conflict is not so much "an eye for an eye" (i.e. you hack me, I hack you), but to put an end to the military operations infringing on your sovereignty ...for example, assuming you believe Iraq had WMDs and chemical weapons or response is not to create stock piles of our own chemical weapons.
I agree and believe the US probably are having a hard time creating escalation mechanisms for cyberwarfare and signaling their strategic needs and interests. When the United State's entire democratic apparatus was attacked during the presidential elections and the only answer was a similar indictment of Russian hackers, enemies have a harder time knowing what is and isn't a "red line".
What would be the "correct" response? Given that citizens affected (including me) have gotten their information used relating to this attack, I'd say a state sponsored cyber counter attack will be/is the best deterrence. UN clearly has not caught up with the times in how to respond to state sponsored attacks.
What do you mean? The parent said they supported a cyber counter attack, which doesn't imply killing anyone unless it's explicitly stated (e.g. attacking critical infrastructure like power stations).
The correct response is recognizing the flaws in our Finchinal System and fixing those.
The Response should be shifting the Liability back to the credit providers, not the consumers
The idea of "Identity Theft" should be a thing of the past, for you did not have your identity stolen, you still have your identity, no the bank was defrauded by giving money to someone they did not properly vet. 100% of the liability should be on them, not the person who they claim had their "identity stolen"
the Liability for financial Fraud in the US is 180 degrees from where it should be.
Launching missiles at China may make you feel good, but it does not solve the root cause of the problem
You should re-read what I said. No where do I see me saying physical force had to be used.
"Fixing" takes a long time that does not mean one should not deter attacks on the current system. How does one respond to a broken legacy software system that can be taken advantage of? You restrict the actions that can be performed on that system until it is replaced.
deter - discourage (someone) from doing something by instilling doubt or fear of the consequences.
^ this is the deter I am talking about.
APT is on a different level than what you are used to. Also my question was rhetorical. Didn't actually mean for you to answer it. For you or your company it is not a viable solution since you don't have the resources.
But I, as a civilian am not qualified to answer that question. Nor do I want to answer that question.
This is not a perfect analogy, and I don't want you to think that geopolitics is a zero sum game. But, imagine two heavyweight boxers circling each other in a ring. They are bouncing on the balls of their feet. They are moving in what you would almost call a dance. Most of the "fight" is in their footwork, their positioning. When one does jab, the other blocks, or moves out of the way, or takes the hit. Sometimes they counter. Sometimes they punch. This fight goes on for a long, long time. It is not tit for tat. They both want to win.
What you are saying is "That boxer needs to jab back, because the other boxer jabbed at him."
I really do not like having to make calls about fraud for months because some countries military decided to attack electronic property holding a ton of sensitive, very hard to change information. Biggest cyber theft of PII information in US history.
I think it is best for the population on the other side to feel that as well which is why I prefer an electronic counter attack. We need deterrence. If China was to "jab", let them use other means of interaction that doesn't make us want to attack them physically. The more people who are affected financially by this, the more the call for a physical deterrence whether we agree with people's feelings or not.
Techthroway's that have never experienced war and don't study international relations and geopolitics should stop suggesting bullshit like this. I get so tired of people advocating more aggressive stances with other nations when it's not their ass or their offsprings that will go to war. This is also why I advocate that next war all the politicians sons and daughters get drafted and then we can see if they still want to go to war.
Oh wait, the congress abdicated it's constitutional duty to be responsible for declaring war via the unconstitutional War Powers Act and AUMF's...
> Oh wait, the congress abdicated it's constitutional duty to be responsible for declaring war via the unconstitutional War Powers Act and AUMF's...
AUMFs are (often limited and/or conditional) declarations of war, from a Constitutional perspective, not an abdication of the power; the Supreme Court has consistently held that the Constitution doesn't require magic words when exercising the Constitutional power to declare war.
While valid, this is a technical interpretation that misses the point IMO.
Look at the range of actions the AUMF's are applied to. The AUMF's, in effect, allow the executive to wage war pretty much anywhere on the planet for an indefinite amount of time.
In your view, is Congress honoring the spirit of their Constitutional duty?
> Look at the range of actions the AUMF's are applied to. The AUMF's, in effect, allow the executive to wage war pretty much anywhere on the planet for an indefinite amount of time.
Most declarations of war do not have temporal or geographic bounds. What was unusually expansive about the 9/11 AUMF (not AUMFs more generally, neither prior nor subsequent AUMFs have had this feature) is that it also delegates the decision of the actual primary opponent(s) to executive discretion, which, yes, is an abdication of Congressional responsibility. But that's the 9/11 AUMF, not AUMFs in general.
There is no sense of the word "appeasement" that includes the Treaty of Versailles. USA entering WWI and allowing UK and France to win decisively was what caused WWII.
Because apparently it must be said, I am not a "Nazi sympathizer". I would have preferred that the Nazis had never existed let alone dominated a large portion of Europe. Similarly, it would have been better had we not invaded Iraq and caused ISIS to exist.
Not really, the great depression caused by private interests in US overlending to europeans lead to a sovereign debt issue that finally made it possible for Hitler to gain power leading to WW2.
>Techthroway's that have never experienced war and don't study international relations and geopolitics should stop suggesting bullshit like this.
I would venture to guess I have significantly more experience and knowledge with the UN Charter Article 2(4), the UN Security Council and the international laws on the use of armed force than you.
No one said anything about "go to war", the Use of armed force is not "going to war". The UN Charter permits the use of armed force in response to acts that infringe on the sovereignty of any nation by military action.
To bury ones head in the sand at this point in history to foreign military acts against a populace is inviting more invasive and damaging acts of cyber warfare. Do you honestly think China is going to say we got away with this we should deescalate?
> No one said anything about "go to war", the Use of armed force is not "going to war".
???
> The UN Charter permits the use of armed force in response to acts that infringe on the sovereignty of any nation by military action.
Should France have nuked Fort Meade to stop the NSA from infringing on their sovereignty?
I don't understand this line of thinking, it's basically "if we do it, yeah, it's cool. If they do it, it's an act of war against our innocent republic", and you figure everybody will agree to that and not treat your cyber attacks similarly?
>> No one said anything about "go to war", the Use of armed force is not "going to war".
???
Consider the US Seal Team military operating in Pakistan where Bin Laden was killed. That was use of armed force, we infringed on Pakistani territorial sovereignty, conducted a military operation and even killed a couple people...I hope you understand that this example of using armed force is not the equivalent of "going to war."
The thing you are missing is that every action like that carries a risk of causing a war much larger than the original action. As a matter of fact within military circles even the Bin Laden raid was criticised because almost all other operations were cordinated with Pakistan and since Pakistan is particularly unstable and also nuclear the risk was considered worth it for the value of the target, but there was a major potential for escalation and lots of political capitol was expended to quell the reaction to that action.
China is not nearly as constrained by diplomatic inroads or other mechanisms at play (such as cultural considerations) that would vastly change the potential of any overt action against China causing an exponential series of increasing escalations that could end up as a major war.
I'm not excusing China and not saying the US or other western countries should lay down for China's increasingly agressive diplomatic and strategic actions, but rather that the utmost care should be taken in the response, just as the US is doing in the conflicts going on in the south China sea and increase in espionage cases.
As an Iraq combat vet who has spent quite a bit of time trying to understand these subjects, my general thought is that I really dislike so many armchair quarterbacks speculating and being so eager to throw away others lives, even if in the of potentialities such as your suggestion. War is one of the most horrible things humans can ever experience and any avoidance of it should be sought in almost all cases possible. It's also annoying how many of those armchair quarterbacks usually don't volunteer to serve themselves.
>The thing you are missing is that every action like that carries a risk of causing a war much larger than the original action.
I fully understand that. The thing you are missing is that by ignoring act of cyber warfare from a foreign military and/or treating acts of war by a foreign military as a domestic criminal case, escalates the risk of causing acts of war much larger than if they were to be nipped in the bud now.
>As an Iraq combat vet who has spent quite a bit of time trying to understand these subjects, my general thought is that I really dislike so many armchair quarterbacks speculating and being so eager to throw away others lives
I trust you understand there are many uses of force that do not result in lost lives. The very nature of my argument is that the actions of China's military is an act of war and use of force...yet no lives were lost. As I said we should respond proportionately as authorized by the UN Charter and international law...I am not suggesting WW3, nukes or throwing away lives as has been suggested by countless people in this thread.
Just as much as I am admittedly "speculating" that treating cyber warfare by a foreign military will result in escalated attacks...it is also a speculation to suggest China will deescalate their cyber warfare against us.
So the question would fall to you is the US strategy of treating cyber warfare by a foreign military as crimes going to deescalate China's attacks here?
> I hope you understand that this example of using armed force is not the equivalent of "going to war."
It's not a "war" because Pakistan isn't a match for the US. It's very much an act of war, though, Pakistan just chooses to ignore the offense because they can't really do anything about it. That's different with China or Russia. Please don't try landing a Seal team in Moscow to extract some hacker.
I specifically said "respond with the use of force as permitted by the UN Charter and international laws and norms."
It seems clear the people responding talking about all out war and "end of human civilization" don't have much experience with the UN Charter, security council and international laws and norms for the use of force. Generally the legal terms of art I used.
The idea is a proportional response to deescalate future cyber warfare attacks...not end all of humanity.
That produces a Security Council deadlock that then opens the door for General Assembly action under the Uniting for Peace resolution, as has happened roughly a dozen times since UfP was adopted in 1951.
Also plausible is that the Americans don't want to toot their own horn (as the CIA and NSA seldom do) and the Chinese don't want to appear vulnerable and admit they were hacked. The difference in responsibilities to the people that a dictatorship and a democracy are stark, almost regardless of how broken of a democracy it is.
I am no hacking expert, but the fact that the internet is such an open place and knowledge sharing is so widespread, I would lean to the side that they have comparable hacking capabilities as America. I've yet to hear of a reason why they wouldn't other than the standard " 'Murica #1". And given a dictatorship presiding over a massive economy and a valid raison d'etre for such capabilities, there is no reason they cannot fund an equivalent of the NSA
So does the US. If you treat this as an act of war, you automatically classify any cyber operation your operatives have executed as an act of war. Against Russians, against EU countries etc. I don't think anybody really wants that.
It's clearly not the right approach, however the severity of what the breach entails does require a very sharp, adequate response - which hasn't happened yet.
'Doing nothing' (or very little) by no means reduces the possibility of conflict escalation, possibly the opposite.
By declaring such intrusions as an 'act of war' (or maybe something literally just a little less hard sounding) it's a signal to foreign powers of the seriousness of such activities.
There is no doubt that this is a really, really serious act that has to have serious consequences.
In this new 'information era' we have to establish new boundaries. Those boundaries will help establish clarity, validate responses, enable 3rd parties to take a judicial view instead of just a political one etc..
Edit: For the last 30 years, China has been on a fairly exponential path to increasing aggression, there's no reason at all to believe this will not continue to the extent they have the material ability (i.e. supporting economy) unless they are stopped, or it becomes too painful for them to continue. If there is little meaningful response to this action, it will grow 10x. Charging the military staff responsible is the wrong tactic as the state is responsible, not these actors (it may even be against the Geneva convention), but more importantly, the cost to the state is nothing. Throw a few officers under the bus for a massive attack? That is 'no consequence' to them, and maybe even not said charged officers. There won't be any lack of volunteers. There has to be a pretty comprehensive coordinated response, and definitely not just some artefact/negotiating point in a trade war. The response may include trade, but it shouldn't be part of a tit-for-tat in a trade deal.
Hasn't this precedent already been set a long time ago? I had thought cyber warfare acts were common. I would think they would have to specifically shut down large infrastructure before a response beyond this was even considered.
Considering how much crap the NSA has pulled over the years, I wouldn't consider this an "act of war". More-so tit-for-tat provoking and power posturing. China knows they are the swingin-big-dick of world manufacturing, not to mention the fact they own a massive amount of US treasury bonds and could jolt the world economy at a moments notice.
>Considering how much crap the NSA has pulled over the years, I wouldn't consider this an "act of war".
It may not seem like a distinction to some, but I think there is a difference from hacking by an intelligence agency and directly by a military. Now if you disagree, that is fine, but also each hack would need to be looked at on the merits to determine what would be a proportionate response, if any.
I know the recent charges list them as members of the Chinese "military", but I wouldn't be surprised if they also did work under the Chinese "intelligence agency" umbrella...especially considering their skillsets. Since the Chinese gov has such a tight grip on everything, I'd assume that the importance of which internal division is cutting which paycheck is more obfuscated than the US as long as it benefits the country.
Yes because of the solution to Cyber Hacking is WW3, ending with everyone launching Nuclear bombs at each other
Good Plan.
Personally I am impressed that the War Hawks were unable to persuade the Administration to start a Conventional War over this. Good for them for refusing such an action
> The US needs to treat this as an act of war by a foreign military/government, not as a criminal act by people acting in an individual capacity.
Should every CIA black and grey op... And any operation by the NSA be considered by the target country as an act of war, too?
If a government employee hacking some software system is an act of war, then the US has committed acts of war against China, Russia, Germany, France, the UK, etc, etc, etc.
Committing an act of war against four nuclear powers sounds pretty irrational to me... Maybe we should reign those two organizations in a bit, before they get everyone killed?
Are you going to be picking up a rifle and hitting the beach? Chances are you and your buddies will be wiped out by transonic anti-ship missiles hitting the troop transport ship on the way to China.
I'd be careful throwing around wishes like that. Are you sure the US doesn't do similar hacks? I'd much prefer people steal data than damage/penetrate critical infrastructure. (The latter is something that should be treated much more harshly, in my opinion)
It seems your position is that the response is the trigger not the initial aggression. How did WW2 start? With Hitler invading Poland or was that fine, and UK/France bear the blame of the WW2 by declaring war on hitler in response?
Its a somewhat educated guess if they would but I meant who answer who might. I personally anticipate an escalation of tensions along NATO / non-NATO lines and exploitation of destabilized regions. It's almost inevitable, classic Thucydides trap combined with NATO.
Depends. Iran has (allegedly) committed what could be constituted as acts of war already. With the US in a heightened state of engagement in direct conflict with China and possibly regional actors, the Gulf of Oman seems like a great place to touch off a regional conflict.
...their population isn’t a big fan of their governance.
Why would you believe this? The last time they didn't like their government, they replaced it with the current government. Even the Ayatollah was pissed off that they mistakenly shot down a plane full of Iranians; they weren't about to curb the relatively limited public demonstrations that agreed with him on that topic.
Oh, let me guess... you learned of the average Iranian's great political discontent from the USA war media. "Wishful thinking disguised as reporting" leads to wishful thinking in place of analysis.
It's pretty clear that the US hacks other countries far more than other countries hack the US. That's why the US has historically been very reticent to agree to treaties that would limit a country's ability to hack.
If that is the appropriate response then everyone would be shooting at everyone else long ago. You think the US doesn’t hack China, or Russian or pretty much every other country?
Haha, we've got lots of publicly documented evidence of US hacking operations against Chinese entities. Should China treat those as acts of war too then?
Are you crazy? That's one step away from a social credit score.
Orgs like Equifax should not exist. I did not consent to this kind of surveillance, I was forced into it because I needed a paycheck and a place to live. Now I'm paying for it because of the incompetence of others - if the U.S. government instead had this power it would become much more difficult to differentiate between incompetence and malice.
I could be crazy, but I’m not certain of the relevance here.
If the US government ran this, you would at least have a chance at congressional oversight. Equifax is largely unchecked in its present corporate state.
I’d argue for a people very dependent on credit, a financial credit score already approaches the burden of a social credit score.
Agreed, instead what needs to happen is aggressive implementation of inflicting "pain" in their systems via economic measures - however unfortunately democracies around the world aren't stable due to the gains from technology haven't been adequately redistributed to society for too long that the current cracks in foundations would turn into a complete collapse; this is something that Presidential candidate Andrew Yang seems to understand the most - and is not only ideal but likely the only candidate who is competent enough to manage China's leadership's behaviour appropriately.
“If Washington can cut China off from American technology at will, China will be determined to build its own technological infrastructure, top to bottom.“
it is certainly the right move to charge individuals rather then directly escalating military tensions with China.
Make life miserable for those directly involved and responsible. Next time, others will push back against an order to attack like this because consequences will be personal for them, not just another move in a war
> Next time, others will push back against an order to attack like this because consequences will be personal for them, not just another move in a war.
You think Chinese soldiers will push back against orders from above because one time the US made the (supposed) perpetrators lifes miserable?
What do you think China will do? Just say "OK, on second thought you don't have to do that"?
No, it's the opposite. The activity was directed by the state, the state must absolutely be held responsible.
If this were a rogue state, or rogue actors, or non-state related activity like general corruption, as we see with Russian figures, it might make more sense to go after the individuals.
The indictment is linked at the bottom of the page and has interesting technical details.
Even more interesting is the question of how the named individuals were identified, which is not addressed in the indictment. The indictment also includes photos of three of the people indicted. This comes across as a shot across the bow to show China that the US govt can identify the individual people doing these things.
"Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us."
That's the line that stood out to me. If so, the threat sounds like they could turn it off or reveal everyone at once, not so much a selective attack (why announce it like that then? Certainly not if you were going to use parallel reconstruction to keep the fact secret).
However, the line:
> 34 servers located in nearly 20 countries
Doesn't describe tor. You don't use that many servers (nodes). And it's strength isn't based on number of hops. That's more old school hack a box and put in a chain.
Then what's the cloak? Is their ability that they can easy "go around" somehow any X number of connections right to the source?
If the prosecutors were to do so knowingly, the prosecutors would be breaking their oath to the Constitution (and simultaneously obliterating their case/perhaps committing crimes of their own).
"In connection with the management and protection of its databases, Equifax developed and maintained proprietary compilations, processes, and codes that constituted trade secrets, for which it had taken reasonable measures to keep secret..."
a) They are charged with conspiring with each other to this, but simultaneously
b) "fits a disturbing and unacceptable pattern of state-sponsored computer intrusions", and in the process they managed to commit
c) "conspiracy to commit wire fraud"
None of those 3 things make any sense in the face of the others. How is doing this kind of things even legal?
The US has no jurisdiction to arrest Chinese soldiers on Chinese land. How could it be illegal? They would become prisoners of war in a war that doesn't legally exist.
I remember a opinion piece claiming hackers might have piercings, tattoos, neon colored hair, which doesn’t jive well with (U.S.) government agencies where people wear suits.
I’m curious if there is concrete data breaking down whether recruiting for cyber security roles in the public sector is constrained by culture, compensation or something else.
Nobody who runs the bay area rat race gets to be root on other countries computer systems and have an easy commute through semi-rural Georgia. There's definitely a group of people to whom the life that comes with a government job is attractive.
Totally, but the question becomes what caliber of scientist that is attracting.
I guess someone could work for a pittance for a few years then leverage an NSA position for absurdly higher pay at a government contractor doing the same thing.
Anecdotally, nobody I saw doing cybersecurity work for the government had to wear a suit, unless they had a performance review that day, or had to give a presentation to senior management. It was mostly jeans and t-shirts from what I saw, maybe a polo if they were a junior manager.
> They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity
How cool is that. They have been able to grab and correlate netflow from across 20 countries.
It looks like they’re using the common meaning of routing and are implying tunneling instead actual route hijacking. So finding which servers they’re tunneling to is thorough but doesn’t seem all that impressive.
The problem with being a political "hack" and repeatedly lying is that it creates doubt when you might be telling the truth. With William Barr's name on this, it is weaker.
Well, if the bank left their vault door open, and you walked straight in taking something, it would still be considered theft - even though the door is open, you're not authorized to be there.
I don't think China cares to follow international, or even their own stated, protocols very well - reminded of recently seeing a comment highlighting China's official values that includes freedom of speech, yet in the same stroke - the comment thread highlighting that China has the phrase "freedom of speech" ban from use in social media for people demanding "I want freedom of speech."
The CISO of Equifax assured a reporter it was possible it still could have happened even when patched.
"The Equifax security chief noted that the company continues to fend off attempted cyberattacks every day, and expects hacks to escalate in the future. He said that given how dedicated the Chinese military hackers were, a breach could still have happened even if the vulnerability had been patched. "They're extraordinarily sophisticated," Farshchi said in an interview. "I would say that it's possible.""
1/ Cross-reference their Equifax data with the OPM database they stole, and use it to identify American NOC operatives entering China (or their sphere of influence, or countries who's border system they've pwned) and place them under surveillance from the start.
2/ Create a score of potential recruit-ability based on people's credit history, target them once they enter a field they're interested in.
Just curious. How much faith do Americans have in current DOJ’s credibility after the whole Trump impeachment show and Barr’s political driven handling of Muller report? To me I believe the current DOJ can make political allegations with very weak evidence or even with no evidence at all. I am sure China would say show us the evidence and we all know it’s not gonna happen.
He probably thinks wow why is it that nobody ever considers that this problem would go away if we just came up with a better system for identity, such as how PGP works.
well not using PGP specifically, but imagine having a social security card with two QR codes on it in addition to your social security number. one of the QR codes contains a private key and the other a public key. The financial institutions and credit reporting agencies can freely access your public key and it's safe to give away. You can make signatures with your private key when it's scanned at a bank or on a phone and the signatures can be verified to be correct by your publicly available public key.
I like the idea better of making additional keypairs that have a chain of signatures back to your social security card so that you don't have to rely on it as much. It seems to me there's a lot of things that could be very workable as far as this is concern, but just to be clear I just like to use PGP as an analogy to a system that could work.
That sounds like a very important key. I'm not discounting the technical merits of your proposal, but I'd worry it'd be very hard to secure the infrastructure used to create, update, and track those keys.
(This is the same logic many use for opposing backdooring encryption, since often it boils down to key escrow)
Meh, the “hack” is a symptom of a broken credit model. If you fix the fundamental problem then it makes it harder for bad actors to create problems like this (no matter what the intention is.)
Bothering with the international politics is a waste of valuable time and energy and will probably just hurt people.
> these companies are committing slander against Americans and facilitating fraud en mass
What slander? If credit information is inaccurate, you can have it changed. If they don't do it in a timely fashion, you can sue. (I won several thousand dollars a few years back for a tax lien on my report that wasn't even mine.)
I'm no fan of credit bureaus at all, but "slander" is hyperbole and not even true (and it's an inaccurate word, when credit reports are written, thus the correct word would have been "libel" -- however, even accusing credit bureaus of libel is ridiculous.)
To further dispute the claim that these companies "slander" people, one must look at what the legal test is for defamation.
The company (or person) must have:
1. Published or otherwise broadcast an unprivileged, false statement of fact about the plaintiff
2. Caused material harm to the plaintiff by publishing or broadcasting said false statement of fact
3. Acted either negligently or with actual malice
Credit bureaus don't publish or broadcast.
Material harm has to be proven. There must be quantifiable damages. Just shouting someone's potentially inaccurate credit information from the rooftops isn't necessarily causing damages -- it's possible, but those damages would have to be proven.
It's not negligent if a file is inaccurate -- it's negligent if they were presented with a challenge of that inaccurate information and refused to correct it. However, admittedly, the bureaus do seem to act negligent rather frequently when it comes to information accuracy -- however, negligence alone doesn't make a defamation case -- the information must be publicly released (i.e. broadcast or published,) and cause material harm.
> and facilitating fraud en mass.
...and facilitating credit en mass... Without credit bureaus there would be a much more difficult credit market and it would be much more subject to discriminatory practices. A credit report can't be racist, but a local bank manager, making a credit decision based on "knowing you" is (and has been,) prone to discrimination and unfairness. The VP's golfing buddy needs a loan: "No problem, we got you!" While the immigrant business owner needs a loan -- a much more difficult proposition. America's economy is the largest in the world -- and contributing to that is the ready availability of credit.
To be clear, I'm not defending credit bureaus from their numerous misdeeds. But throwing words around like "slander" or "fraud" is a childish view on the importance of credit bureaus to the American credit system.
I can only speculate but I've given a lot of thought to this problem and:
1. nobody has suggested it as an alternative; nobody wants to completely get rid of the system we have now. PKI requires electronics to create and verify signatures created with the keypairs.
2. Because financial institutions do not care and it's not their prerogative. The social security administration is not responsible for people's credit reports and as far as their concerned their is no problem.
3. People are afraid to try new things and new technology and it's up to the government to see that it's done correctly. Theoretically a problem could arise from somebody making a business out of "keeping track of your private key for you" which negates the purpose entirely.
4. People are lazy, and not everybody cares and doesn't necessarily speak to the benefit of people who don't care about their credit or their identity which is why I say it should be an option.
5. If cryptography fails, then the whole thing is pointless. But, I think most people will agree if cryptography fails we will have much bigger problems.
The solution I have in mind is similar to what I've seen with "paper bitcoin wallets" where you have two QR codes: a public and a private key. Imagine a social security card with two QR codes. When you create a bank account, or when you get a state id or something you can get another set of qr codes, that have a record of signatures provided by a state department's private key or that of a financial institution along with a signature provided by your social security card. With your new set you can safely put away your social security card. The idea being, signatures can represent business and billing agreements as well as establishing an identity chain similar to how PGP's web of trust works. Anyone can have your public key, you just have to keep your private keys safe. Even if somehow you stupidly manage to screw this up, it's not that hard to start over. People lose social security cards now and they have to be re-issued. They just have to come up with the system for it and start doing it.
Because user-first nym systems would solve the problem for consumers, not the surveillance stakeholders. Once again, if you're not the customer, you're the product.
If true this is a giant failure of Chinese intelligence. It just shows how far ahead the US is that they're able to charge specific people. The PLA needs to upgrade its capabilities if they don't want to stay an embarassment.
I think this situation shows more the incompetence of the US cyber security apparatus, at least when it comes to securing critical systems.
With the OPM breach and the Equifax leak the Chinese have the personal details and biometrics of millions of Americans who work for the government in areas that handle sensitive information.
The Russians have already specifically identified US cyberwarfare individuals before. So, it can be done and has been done. With the information the Chinese already have it is very unlikely they could not do the same, but they'd gain very little from it. (The US doesn't gain much and should probably stop the practice also.)
I don't see where your link points to this and I mean it's pretty obvious the Shadow Brokers were aligned with foreign policy interests of the Russian government. If it was another adversary, I don't see why they worked so hard to benefit mostly Russia.
It doesn't achieve much, it increases the risk of revealing methods and sources. It also puts US cyber security personnel at greater risk, some of whom have spoken out against the practice.
Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.
Another worry is that indicting people might give away information information about your sources and methods.
[1] https://www.mcclatchydc.com/news/nation-world/national/natio...